feat(secrets): bump bc-detect-secrets to version 1.5.4 (#5998)

* Updated bc-detect-secrets to version 1.5.4

* Filter only relevant checks for test

* Solve issue with pipenv-setup

.pre-commit-config.yaml

@@ -32,6 +32,7 @@ repos:
         args: []
         additional_dependencies:
           - vistir<0.7.0  # can be removed, when v4.0.0 of pipenv-setup comes out
+          - plette<1.0.0  # Solve issue of import error for plette.models
   - repo: https://github.com/seddonym/import-linter  # checks the import dependencies between each other
     rev: v1.12.1
     hooks:

Pipfile

@@ -43,7 +43,7 @@ types-colorama = "<0.5.0,>=0.4.3"
 # REMINDER: Update "install_requires" deps on setup.py when changing
 #
 bc-python-hcl2 = "==0.4.2"
-bc-detect-secrets = "==1.4.30"
+bc-detect-secrets = "==1.5.4"
 bc-jsonpath-ng = "==1.6.1"
 pycep-parser = "==0.4.1"
 tabulate = ">=0.9.0,<0.10.0"

setup.py

@@ -66,7 +66,7 @@ def run(self) -> None:
     },
     install_requires=[
         "bc-python-hcl2==0.4.2",
-        "bc-detect-secrets==1.4.30",
+        "bc-detect-secrets==1.5.4",
         "bc-jsonpath-ng==1.6.1",
         "pycep-parser==0.4.1",
         "tabulate>=0.9.0,<0.10.0",

tests/secrets/test_load_detectors.py

@@ -7,6 +7,7 @@
 from checkov.runner_filter import RunnerFilter
 from checkov.secrets.plugins.load_detectors import modify_secrets_policy_to_detectors, get_runnable_plugins
 from checkov.secrets.runner import Runner
+from tests.secrets.utils_for_test import _filter_reports_for_incident_ids
 
 
 class TestLoadDetectors(unittest.TestCase):
@@ -237,7 +238,8 @@ def test_custom_regex_detector(self):
         report = runner.run(root_folder=valid_dir_path,
                             runner_filter=RunnerFilter(framework=['secrets'],
                                                        enable_secret_scan_all_files=True))
-        self.assertEqual(len(report.failed_checks), 3)
+        interesting_failed_checks = _filter_reports_for_incident_ids(report.failed_checks, ["test1", "test2"])
+        self.assertEqual(len(interesting_failed_checks), 3)
 
     def test_non_entropy_take_precedence_over_entropy(self):
         # given: File with entropy secret and custom secret
@@ -283,8 +285,9 @@ def test_non_entropy_take_precedence_over_entropy(self):
         report = runner.run(root_folder=valid_dir_path, runner_filter=RunnerFilter(framework=['secrets'], enable_secret_scan_all_files=True))
 
         # then: Validating that the non-entropy is the one.
-        self.assertEqual(len(report.failed_checks), 1)
-        self.assertEqual(report.failed_checks[0].check_id, check_id)
+        interesting_failed_checks = _filter_reports_for_incident_ids(report.failed_checks, ["test1"])
+        self.assertEqual(len(interesting_failed_checks), 1)
+        self.assertEqual(interesting_failed_checks[0].check_id, check_id)
 
     def test_custom_regex_detector_value_str(self):
         current_dir = os.path.dirname(os.path.realpath(__file__))
@@ -357,7 +360,8 @@ def test_custom_regex_detector_value_str(self):
         report = runner.run(root_folder=valid_dir_path,
                             runner_filter=RunnerFilter(framework=['secrets'],
                                                        enable_secret_scan_all_files=True))
-        self.assertEqual(len(report.failed_checks), 3)
+        interesting_failed_checks = _filter_reports_for_incident_ids(report.failed_checks, ["test1", "test2"])
+        self.assertEqual(len(interesting_failed_checks), 3)
 
     def test_custom_regex_detector_in_custom_limit_characters(self):
         current_dir = os.path.dirname(os.path.realpath(__file__))
@@ -399,7 +403,8 @@ def test_custom_regex_detector_in_custom_limit_characters(self):
         report = runner.run(root_folder=valid_dir_path,
                             runner_filter=RunnerFilter(framework=['secrets'],
                                                        enable_secret_scan_all_files=True))
-        self.assertEqual(len(report.failed_checks), 1)
+        interesting_failed_checks = _filter_reports_for_incident_ids(report.failed_checks, ["test1", "test2"])
+        self.assertEqual(len(interesting_failed_checks), 1)
 
     def test_custom_regex_detector_out_custom_limit_characters(self):
         current_dir = os.path.dirname(os.path.realpath(__file__))
@@ -441,7 +446,8 @@ def test_custom_regex_detector_out_custom_limit_characters(self):
         report = runner.run(root_folder=valid_dir_path,
                             runner_filter=RunnerFilter(framework=['secrets'],
                                                        enable_secret_scan_all_files=True))
-        self.assertEqual(len(report.failed_checks), 0)
+        interesting_failed_checks = _filter_reports_for_incident_ids(report.failed_checks, ["test1", "test2"])
+        self.assertEqual(len(interesting_failed_checks), 0)
 
     def test_custom_regex_detector_skip_long_line(self):
         #  given
@@ -662,7 +668,8 @@ def test_custom_multiline_regex_detector(self):
                             runner_filter=RunnerFilter(
                                 framework=['secrets'],
                                 enable_secret_scan_all_files=True))
-        self.assertEqual(len(report.failed_checks), 3)
+        interesting_failed_checks = _filter_reports_for_incident_ids(report.failed_checks, ["test1", "test2"])
+        self.assertEqual(len(interesting_failed_checks), 3)
 
     def test_custom_multiline_regex_detector_only_scan_file(self):
         current_dir = os.path.dirname(os.path.realpath(__file__))
@@ -727,7 +734,8 @@ def test_custom_multiline_regex_detector_only_scan_file(self):
         report = runner.run(root_folder=valid_dir_path,
                             runner_filter=RunnerFilter(framework=['secrets'],
                                                        enable_secret_scan_all_files=True))
-        self.assertEqual(len(report.failed_checks), 2)
+        interesting_failed_checks = _filter_reports_for_incident_ids(report.failed_checks, ["test1", "test2"])
+        self.assertEqual(len(interesting_failed_checks), 2)
 
     def test_custom_multiline_regex_detector_only_supported_files(self):
         current_dir = os.path.dirname(os.path.realpath(__file__))
@@ -792,4 +800,5 @@ def test_custom_multiline_regex_detector_only_supported_files(self):
         report = runner.run(root_folder=valid_dir_path,
                             runner_filter=RunnerFilter(framework=['secrets'],
                                                        enable_secret_scan_all_files=True))
-        self.assertEqual(len(report.failed_checks), 1)
+        interesting_failed_checks = _filter_reports_for_incident_ids(report.failed_checks, ["test1", "test2"])
+        self.assertEqual(len(interesting_failed_checks), 1)

tests/secrets/test_plugin_multiline_yml.py

@@ -10,6 +10,7 @@
 from checkov.secrets.plugins.entropy_keyword_combinator import REGEX_VALUE_KEYWORD_BY_FILETYPE
 from checkov.secrets.plugins.entropy_keyword_combinator import REGEX_VALUE_SECRET_BY_FILETYPE
 from checkov.secrets.runner import Runner
+from tests.secrets.utils_for_test import _filter_reports_for_incident_ids
 
 
 class TestCombinatorPluginMultilineYml(unittest.TestCase):
@@ -182,7 +183,9 @@ def test_non_multiline_pair_time_limit_creating_report(self):
 
         # then
         assert end_time-start_time < 1  # assert the time limit is not too long for parsing long lines.
-        self.assertEqual(len(report.failed_checks), 4)
+        interesting_failed_checks = _filter_reports_for_incident_ids(report.failed_checks,
+                                                                     ["CKV_SECRET_4", "CKV_SECRET_6", "CKV_SECRET_13"])
+        self.assertEqual(len(interesting_failed_checks), 4)
         self.assertEqual(report.parsing_errors, [])
         self.assertEqual(report.passed_checks, [])
         self.assertEqual(report.skipped_checks, [])

tests/secrets/utils_for_test.py

@@ -0,0 +1,8 @@
+from typing import List
+
+from checkov.common.output.record import Record
+
+
+def _filter_reports_for_incident_ids(failed_checks: List[Record], policy_names: List[str]) \
+        -> List[Record]:
+    return [failed_check for failed_check in failed_checks if failed_check.check_id in policy_names]